In a world of cyberthreats where the only constant is change, architecting a cybersecurity solution that dynamically adapts is crucial. Keeping up with new attack techniques, effectively defending against advanced threats and understanding how the enemy operates, is perhaps the biggest challenge facing security teams today.
Attackers and their campaigns follow a sequence of events – or “attack lifecycle”- to successfully infiltrate a network and exfiltrate, destroy, or prevent access to data. While the order may not be constant, since attackers create their own sequence, the goal is always the same: to reach the last stage and achieve their objective. Because it happens over time, blocking just one of the following stages in the attack lifecycle is all you need to do to protect your organisation’s network and data from a breach.
Cyber criminals carefully plan their attacks. They research, identify, and select targets, often using phishing tactics or extracting public information from LinkedIn profiles or corporate websites. They try to learn as much as possible about the systems you’re running as they scan for services and applications they can exploit.
- Tools like IPS and firewalls can stop some of these tactics, specifically port scans and host sweeps. However, due to the public nature of the Internet, investigation by cyber criminals into your users and company affiliations is largely impossible to protect against.
Attackers create tailored exploits, and combine them with malicious payloads, to leverage weaknesses they’ve found during reconnaissance. Because this stage is all done on the attacker’s side, security tools cannot defend against “weaponisation.”
- Tools like sandboxes and intrusion prevention systems (IPS) can help to defend against targeted vulnerabilities and custom payloads packaged during this stage. Exploit kit protection can help make newly weaponised tools obsolete by decreasing their effectiveness when they’re reused.
Attackers determine how to send weaponised threats into a network, using methods like phishing and watering holes. They may choose to embed malicious code within a seemingly innocuous file, like a PDF or email message. Or, in highly targeted attacks, attackers may craft deliverables to catch the specific interests of an individual.
- Tools like anti-malware, sandboxing, and URL filtering or proxies can help to prevent delivery, if they monitor and defend against all traffic on all ports.
Once attackers gain access inside an organisation, they can activate attack code on the victim’s host and ultimately take control of the target machine. This opens the door for them to move laterally within the network, though typically command and control is executed before this happens.
- Tools like IPS devices and endpoint protection agents can be used to block exploitation, and highly segmented network architectures also help to limit the systems and devices attacks can exploit.
Attackers will seek to establish privileged operations, escalate access, and establish persistence by installing their own malicious program (malware), like a root kit, on the victim machine. This stage is only enacted if malware is used in the attack. Typically, command and control happens during installation to download additional payloads from an attacker-controlled Web page or server.
- Tools like Endpoint protection agents, URL filtering, and anti-malware technology are used to protect devices from installation.
Command and Control
Attackers establish a command channel back through the Internet to a specific server, so they can communicate and pass data back and forth between infected devices and attacker-controlled servers. Command and control occurs multiple times during an attack, often to fetch additional payloads, receive new instructions from the attacker by updating its code, and siphon data out of an organisation.
- Tools like IP reputation services and DNS protection can help block command and control traffic.
Actions on the Objective
Attackers have different motivations, and it’s not always for profit. It may be to destroy critical infrastructure or deface Web property. Because this stage is always the last within the lifecycle and completes an attack, blocking the connection with the attacker, or stopping previous stages effectively, causes both this stage and the overall attack to fail.
Considering the attack lifecycle within the context of your organisation’s network architecture, and understanding how cyber criminals operate, will help you to design a better cybersecurity strategy and build a holistic defence that dynamically identifies symptoms of infection, zeroes in on the root cause, and prevents the disease. We partner with Palo Alto Networks, the next-generation security company maintaining trust in the digital age by helping organisations prevent cyber breaches.
‘Think like a Cyberattacker’ taken from Palo Alto Networks cybersecurity buyer’s guide entitled ‘The Definitive Guide for Evaluating Cybersecurity Solutions’